RSA paid millions by National Security Agency for backdoor encryption

Posted 23 December 2013 - 03:52 PM

The US National Security Agency (NSA) arranged a secret $10 million (£6.1 million, AU$11.2 million) contract with security company RSA to embed flaws in its encryption software.

It is not clear at this stage whether the deal with RSA was a singular one or if other security firms may have been approached.

Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers. This was used to create a 'back door' in security products.

Reuters reported that the RSA became the most important distributor of that formula. The firm is reportedly implementing it in a software tool used to enhance security in personal computers and other products. It has now been disclosed that the company received substantial payment for this.

RSA, now a subsidiary company of storage giant EMC, has a long history of championing privacy and security. It played a major role in blocking the NSA's effort in 1990s to enable spying on a wide range of computers and products.

Denial

The firm urged people to stop using the NSA formula after the Snowden disclosures revealed its weakness. A statement from the company said "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own."

NSA documents released in recent months have called for 'commercial relationships' to advance their security goals, but did not name any specific firms as collaborators.

The agency came under attack this week in a report from a White House panel. The panel noted that "encryption is an essential basis for trust on the internet," and called for a halt to NSA efforts to undermine in.